[jira] [Commented] (HBASE-15122) Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings

[Samir Ahmic (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15126323#comment-15126323
 ] 

Samir Ahmic commented on HBASE-15122:
-------------------------------------

I was able to successfully build master adding commons-beanutils-core, and 
xalan dependencies in  supplemental-models. Here is diff
{code}
diff --git a/hbase-resource-bundle/src/main/resources/supplemental-models.xml 
b/hbase-resource-bundle/src/main/resources/supplemental-models.xml
index 2f94226..357a9e3 100644
--- a/hbase-resource-bundle/src/main/resources/supplemental-models.xml
+++ b/hbase-resource-bundle/src/main/resources/supplemental-models.xml
@@ -61,6 +61,42 @@ under the License.
       </licenses>
     </project>
   </supplement>
+  <supplement>
+    <project>
+      <groupId>commons-beanutils</groupId>
+      <artifactId>commons-beanutils-core</artifactId>
+
+      <organization>
+        <name>The Apache Software Foundation</name>
+        <url>http://www.apache.org/</url>
+      </organization>
+      <licenses>
+        <license>
+          <name>Apache Software License, Version 2.0</name>
+          <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+          <distribution>repo</distribution>
+        </license>
+      </licenses>
+    </project>
+  </supplement>
+  <supplement>
+    <project>
+      <groupId>xalan</groupId>
+      <artifactId>xalan</artifactId>
+
+      <organization>
+        <name>The Apache Software Foundation</name>
+        <url>http://www.apache.org/</url>
+      </organization>
+      <licenses>
+        <license>
+          <name>The Apache Software License, Version 2.0</name>
+          <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+          <distribution>repo</distribution>
+        </license>
+      </licenses>
+    </project> 
+  </supplement>
 <!-- Artifacts with ambiguously named licenses in POM -->
   <supplement>
     <project>
{code}

Is this acceptable solution [~busbey] ?

> Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-15122
>                 URL: https://issues.apache.org/jira/browse/HBASE-15122
>             Project: HBase
>          Issue Type: Bug
>            Reporter: stack
>            Priority: Critical
>         Attachments: HBASE-15122.patch
>
>
> In our JMXJsonServlet we are doing this:
>         jsonpcb = request.getParameter(CALLBACK_PARAM);
>         if (jsonpcb != null) {
>           response.setContentType("application/javascript; charset=utf8");
>           writer.write(jsonpcb + "(");
> ... 
> Findbugs complains rightly. There are other instances in our servlets and 
> then there are the pages generated by jamon excluded from findbugs checking 
> (and findbugs volunteers that it is dumb in this regard finding only the most 
> egregious of violations).
> We have no sanitizing tooling in hbase that I know of (correct me if I am 
> wrong). I started to pull on this thread and it runs deep. Our Jamon 
> templating (last updated in 2013 and before that, in 2011) engine doesn't 
> seem to have sanitizing means either and there seems to be outstanding XSS 
> complaint against jamon that goes unaddressed.
> Could pull in something like 
> https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all 
> emissions via it or get a templating engine that has sanitizing built in. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)